Books - Non-fiction

Information Security in Smart Electricity Metering

Description
Information Security in Smart Electricity Metering Siiteri Lauri 2013 Leppävaara Laurea University of Applied Sciences Laurea Leppävaara Information security in smart electricity metering Siiteri, Lauri
Published
of 25
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Related Documents
Share
Transcript
Information Security in Smart Electricity Metering Siiteri Lauri 2013 Leppävaara Laurea University of Applied Sciences Laurea Leppävaara Information security in smart electricity metering Siiteri, Lauri Tietojenkäsittelyn koulutusohjelma Bachelors degree of Business information Technology November 2013 Laurea-ammattkorkeakoulu Laurea Leppävaara Tiivistelmä Siiteri, Lauri Etäluettavien sähkömittareiden tietoturva Vuosi 2013 Sivumäärä 31 Suomen valtio haluaa, että kuluvan vuoden loppuun mennessä 80 prosenttia ihmisten sähkömittareista on etäluettavia. Vaikka lähes kaikki Suomessa toimivat sähköyritykset ovat asentaneet vaadittavan määrän mittareita, muunlaisia asioita on jäänyt auki. Asennusprojektin ollessa jo näin pitkällä on noussut kysymyksiä muun muassa siitä, kuinka todennäköistä on mittareiden välittämän tiedon hyväksikäyttö ja kuka siitä voi hyötyä. Tässä tutkimuksessa selvitän mittareiden tietoturvallisuutta asiakkaanani toimivalle, etälukupalveluita kotimaiselle sähköntuottajalle tarjoavalle yritykselle. Käyn läpi myös sen, kuinka suurta vahinkoa voidaan tuottaa, mikäli mittaripalveluita tuottavan yrityksen järjestelmiin kyetään murtautumaan. Tämän pohjalta kyseinen yritys tulee parantamaan omia järjestelmiään ja käytäntöjään mahdollistaakseen mahdollisimman suojatun järjestelmän. Koska tutkimus tarkastelee aukkoja asiakasyrityksen tietoturvassa, kaikkia yksityiskohtia ei voida tuoda julkisesti esille. En myöskään tuo julki asiakkaanani toimivan yrityksen nimeä. Tutkimus ei koske pelkästään mittareilla olevaa tietoa vaan kaikkia pisteitä mittarilta sähköntuottajan järjestelmiin. Tutkimuksen aikana kohtasin joitain vaikeuksia. Vaikka etäluettavat mittarit ovat yleistyneet maailmanlaajuisesti ja niitä koskevaa tutkimustietoa löytyy kohtalaisen paljon, niistä tehtyjen tietoturvatutkimusten saaminen on erittäin vaikeaa. Tutkimusta tehdessä on käytetty hyväksi kahden kahden asiantuntijan haastatteluja, tutkimuksia mittareiden tietoturvasta sekä kansainvälisen median internetissä julkaisemia uutisia mittareista ja niiden tietoturvasta. Asiasanat: Tietoturva, sähkömittaus, tietojärjestelmät Laurea University of Applied Sciences Laurea Leppävaara Abstract Siiteri, Lauri Information Security in Smart Electricity Metering Year 2013 Pages 31 According to the strategy of the Finnish Government, before the end of the year 2013 at least 80 per cent of electricity metering should be made by meters capable of remote reading, so called smart meters. As most of the Finnish electricity utilities have installed the needed number of meters, some other issues have been left open. When the installing process is almost over, questions have arisen about the likelihood of someone trying to gain advantage of the information the meters hold and who might be able to use that information. This research examines the security issues of smart metering for the client company, sellers of remote reading services for one Finnish electricity utility. The study will also focus on how large devastation it might cause if someone is able to break in to the systems of the metering service provider. This research will be used by the company to make their processes and systems more secured and to ensure a metering system as secured as possible. Because this research concerns information security and there are also holes in the systems, there will be some classified data left out of it. For the same reason the company name will not be mentioned. The research does not only concentrate on the meter level; it will also monitor every step of the data from the meter to the utilities systems. During the research project a few problems occurred. Even though the smart meters have become common and there are plenty of researches about them, it is difficult to find research on their security. Interviews with two smart metering experts as well as researches and news in the international press have been utilized as background data while working on this thesis project. Keywords: Information security, smart metering systems Table of Contents 1 Introduction Smart metering in general Meters remote reading Point to point meters or 2p PLC network Radio signals or radio frequency Data concentrators Potential technical issues and issues with meter working environment Issues with personal use Issues in business environment Privacy issues Risks about networks Meters Data concentrator Metering service providers database The electric utility Potential issues with people accessing the data Customer People with possibility to see the meter Installer Employers of a smart meter company or electric utility Risk analyzis System attack Hacking multiple meters Manipulating one meter Steps to improve security Summary Self-assessment List of References Table of Figures... 31 1 Introduction Figure 1: Figure: Picture above presents the smart metering architecture. From there we can see all the layers which must be secured to keep the meters, the data and the utilities network safe. I decided to help my current employer by doing my thesis about security issues in smart metering. I will go step by step from a meter to the Electricity Company and figure out possible security issues and risks and identify them. I will also advance how to minimize the risks. I will take a look at smart metering processes as a whole, so I will not concentrate to the nameless company I work for. I will do my research as qualitative research. Even though it is not very likely, there is a risk that someone would like to steal peoples or companies data from their meters and try to get some benefits with that information. There are also people that have access to that information. I will take a look at following steps of how the consumption data is delivered from a meter to the service provider Meter Possible ways how meter data is transferred to meter service provider Data Concentrator The metering service provider 7 Electric utility I will also take a look at the people who may have access to the data. There are several possibilities: Customer Anyone able to see the meter Installer if there are some problems with a meter or data transferring Employee of the meter service provider Employee of the electric company Anyone who is able and willing to brake in to electronic lines and willing to follow the PLC traffic, for example According to Finnish bureau of information security, the main points in information security are: Availability Confidentiality Integrity These mean that the information needs to be available easily for those who have rights to use it. Even though it is secured and behind the locked doors, intranet or just behind a password, the people working with the data needs to have access to it. (Availability) With the confidentiality it is meant that only the people who have rights to use some information have access to it. The integrity means that the user must be able to trust that the information is correct. It must be impossible or at least hard enough to change by accident or in an attack or at least it must be possible to confirm those changes and fix them. After these three main points are often mentioned three other important points. They are: Non-repudiation Identification Authentication Non-repudiation means that user cannot deny what he has done. There needs to be a stamp of every change made and of who has made it. It is very similar to one of the main points, the 8 integrity. This one points to the availability of showing the changes and confirming the person who has made them. Identification. The user must always be possible to identify. It needs that the changes can be pointed to a username, even though the username can be anonymous. Authentication means that the user is possible to authenticate as legal person. The authentication needs to be trustful. For example in the company systems the administrator must be able to identify the user, so in these cases the user cannot be anonymous. (Valtionhallinnon salauskäytäntöjen tietoturvaohje 2008) Making something to be impossible to break is never possible. There are always ways to break in from some point. A company or a device has to be hard enough to break in to. It depends on few details how hard it must be. How important it is to keep the data confidential? How much would it cause losses if someone broke into the system? How much would the attacker get benefits of a successful attack? If someone was able to break in to some information, how long would that take and does the data still need to be secret after that supposed attack time? All those make a difference to the needed level of security. It is always needed to compare the costs of a successful attack and the potential losses of the attack. There is no reason to get that heavy and expensive security system that it costs more than the potential losses after the attack. As background for this research I have used other researches about information security of smart metering, information security guide of Finnish government, Guide to analyze risks to improve information security of Finnish government and global news articles. I have also made two different interviews with different metering service providers in Finland to gather more information for my project. Because the object of my thesis is information security, both of the interviewed persons have not been willing to have their names published. I will not name the company that will be using my research either. Any specified information about the holes in the system and possibilities for a misuse will not be mentioned here in my thesis. They will be used by my employer to avoid such risks and to ensure reliable electricity metering for hundreds of thousands users in Finland. There are some researches done before about the information security of smart metering. Pike Research has been publishing updated versions every few years. The newest of those, published 2010 has been used during this project. P. McDaniel and S. McLaughlin completed one 2009 and some others have been researching the security too. Still there have not been many investigations about the smart meter security yet. And most of those researches that have been done are very hard to find unless you have connections to the metering companies. 9 As the meters come more common across the world during the next years, I suppose they will be investigated more. 2 Smart metering in general Electric companies worldwide are installing new so called smart meters to follow their customers consumption. Those new meters have lots of advantages the old ones did not. It is possible to read the meters remotely and the utilities may have the consumption data daily, even hourly. With the new meters utilities don t even need to send an installer there to disconnect or connect the meter or change its tariff. Also in the countries where people use more gas at their homes, for example by using gas ovens for cooking, it is possible to have the same meter to follow electricity and gas consumption. Smart meters also give electric utilities possibility to have new services to customers. People will have possibility to minimalize their consumption when they can follow their consumption hourly based. Utilities will be also able to run demand response programs, where customer will not need to do anything in order to get a more efficient energy use, from both utility and end-user perspectives. A good example of this is the night electricity, which makes it cheaper to use for customers and decreases the load on the grid so it s also good for the utility. Finnish government wants that at least 80% of electricity meters are changed to smart meters before the end of the year In fact, that milestone will be handled much earlier. For example E.ON has completed it in 2008 and Fortum has already installed most of its planned meter installations in the late The state started to pay some money for utilities from all the installed smart meters that are sending consumption data hourly based before the end of year 2012. 10 Figure 2: Data flow in smart meters 2.1 Meters remote reading In this chapter I will take a look at different ways smart meters communicate with the utilities system. There are few different ways how the meters send their data to the electric utility. I will have more specified information about those meter types used also in Europe and will mostly skip those used in the US Point to point meters or 2p2 There are several ways how the meter sends its readings to the utility. One way is point to point meters. In that case there is a sim card in every meter and it sends the reading in mobile network. That is used mostly in areas where there is a long distance between the delivery sites and therefore to other meters or where there are some devices that causes some continuing disturbance for meter reading. Also it is common for places where the consumption is large, for example in factories. They have some advantages like pretty confident communication to the meter reading systems at least in Finland, where almost the whole country is under mobile network coverage. Still, it is pretty expensive to have every meter communicating by themselves. PLC network Some service providers use Power Line Communication (PLC) network to have the readings. In those cases, there are several meters and a data concentrator (or DC) around the same transformer. The meters send the consumption data to the DC via power lines. The DC has connection to the mobile network and it sends the data to the service provider. The DC can be installed to the transformer itself or to some customers properties. The most effective way is to have it installed as near the center of the transformer as possible. Then the meters will be able to send the data straight to it and will not need any repeaters between them. In such a case it is also the most trustful that the data deliverance works all the time. The best solution is still to install it on a transformer or a house that has always electricity turned on. If a concentrator is installed on a delivery site where it is, for example, some ones summer cottage, there may come problems to the data reliability. Often when people leave their summer cottage, they do switch off their main switch and that turns also the DC off. In such a case none of the meters under the same data concentrator are able to send the readings as long as the DC has no electricity. Because of that, some meter service providers install the meter before the main switch and therefore the meter or the data concentrator sends the data even though the main switch is turned off Radio signals or radio frequency Radio signals are also one possibility for transferring meter data from a meter to a data concentrator. The meters are installed in the same space. They all are wired and connected to a radio signal transmitter which sends the data to the data concentrator. There is already some Radio frequency -mesh systems available in the market. Each meter is equipped with a radio transceiver, no need to wire several meters to one signal transmitter. Any Finnish meter provider does not use this way. The use of RF-mesh in Europe is very limited because of the network topology. Highly populated areas in urban scenarios and rural networks are not very convenient for RF-mesh. Radio frequency signals can be disrupted with the same difficulty than PLC and there is no difference in terms of security Data concentrators In all smart metering systems the meter sends the data it is holding to a data concentrator except the point to point metering system. Also the commands from the maintainer are sent 12 through the DC, which will route the command, for example a remote disconnection command, to the meter. The concentrator gathers the information about consumption and meter errors et cetera and delivers the data to its service providers system. Data concentrators are installed in some cases to people s delivery sites behind the meter but the most common way is to install them to a transformer. Mainly the DCs are installed on delivery sites at countryside where there are not so many meters in a larger area and there are only few meters under the concentrator. In the towns the DCs are usually installed on transformers and might have at maximum meters under them. Having information up to meters and their consumption data up to one month and the data packages are larger, so it is important to have the concentrators communicate reliable with the service provider. DCs communicate in usually mobile network, which is reliable, well protected network and usable in whole Finland. Still it is possible for DCs to use any other Wide Area Network technology to connect the DCs with central systems. Virtually a DC can be connected to any available WAN technology. 3 Potential technical issues and issues with meter working environment I will have a look at the possible issues according to smart metering systems and the people who have access to the data the meters hold. I will start with issues of personal use and use in business environment. Later I will take a look at the technical issues and the issues caused by people who have access to the meters or the data they are holding. I will have a look at the possible technical issues of the meters and how the information is sent from meter and delivered to the electric utility. I will have a look at every step where the data goes and think how it could be delivered more secured. Smart meters must be viewed in both contexts, as part of the entire grid and also part of home area networks. If parts of a network are individually secured, it does not make it secured network. Smart meters have to be secured in a way that the meter or its data cannot be used to attack the other devices of the network or the grid itself. (Lockhart, Wheelock 2010, 8) Smart meters may be parts of two networks, a home area network (HAN) and smart grid. So in theory smart meters might bridge the HAN and the grid, which can be counted as a neighborhood area network (NAN). These two networks are mutually untrusted, so they must remain separated. 13 There are several services that let utility to build and run a more secure smart meter network. (Lockhart, Wheelock 2010,12) 3.1 Issues with personal use There are not many reasons for anyone to attack electricity meter of his own or anyone else. While the main thing of the meters is delivering consumption data from a customer to his electric company for invoicing data, there are some other functions as well. With correct information a potential customer could connect the meter allowing him to use electricity without having a contract and therefore without paying. The same thing would be possible for a customer who has not paid his bills and whose smart meter has been disconnected. It could also be possible for customer to distort the consumption data to reduce his bills. In these possibilities the utility would lose some money. The sums would be pretty small compared to electric utilities cash flow but still it would be loss. Most likely no one would be hacking just one meter to gain small benefit for himself. If a hacker would be able and willing to hack a meter, most likely he would try a massive strike attacking at least thousands of meters. Smart meters gather much information about its user. Gathering that information could give the data holder information about the consumers way of living, potential diseases, devices he uses at his home and even times when he s sleeping. That is a reason why European Data Protection Supervisor (EDPS) finds a lot of privacy issues in smart metering. (BBC news 2012) Also, by following people s consumption data some burglars could see when the residence is empty. That would allow them to rob the house without anyone noticing it in a long time. The same information ca
Search
Related Search
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks
SAVE OUR EARTH

We need your sign to support Project to invent "SMART AND CONTROLLABLE REFLECTIVE BALLOONS" to cover the Sun and Save Our Earth.

More details...

Sign Now!

We are very appreciated for your Prompt Action!

x